Simple webserver file alteration monitoring using integrit

6 June 2007

Intrusion detection?

Over on Mezzoblue, Dave Shea found out that his website had been compromised subtly. The attacker had exploited some (as yet unknown) security hole and quietly modified his website to link to the standard spam sites.

Within a few hours there were tens of posts from people who’d checked their websites and found similar modifications that had been sitting their un-noticed, with people pointing the finger either at old WordPress installations or a guesses that their hosting service had been compromised.

This shows us once again, that any software you run on your website needs to be kept up-to-date immediately, but what shocked me was that so many people out there running websites and are not watching them for file changes. They had no idea that their sites had been hacked until they went and looked for it.

So – in bold: Anyone running a website or webserver of any type needs to watch out for unexpected access and changes.

The easiest way to do this is to use some intrusion detection software (IDS). This sounds complex, but it’s actually quite easy to do. All these programs do is to monitor your files and warn you when they change. This would have immediately spotted this type of attack.

Because of this, I’ve decided to write up an easy guide to simple file alteration monitoring – here it is.

Choose your weapon:

There are plenty of intrusion detection/file modification apps out there – some of the better known ones include AIDE, Samhain and Tripwire. These are all very cool, and highly powerful, but are also quite complex and hard to install, especially on cheap shared hosting.

Therefore, my weapon of choice, for the last few months has been a lightweight and fast application called integrit, so I’m going to tell you how to install it here.

Before we start: Do make sure that you’re not compromised right now, there’s no point running an IDS if you’re already hacked. While you’re at it, make sure everything’s upgraded too.

Step 1: Make a place to store integrit:

Since you’re on shared hosting, you can’t install integrit properly into /usr, but you need to to put it somewhere anyway.

I decided to install it to a directory called “integrit” inside my home dir, so:

mkdir ~/integrit

In the following commands, do remember to replace any mention of ~/integrit with the directory you used.

Next we need to put the integrit binary somewhere where we can get it, here I’ve just dumped it into the ~/integrit directory, but you could put it in ~/bin or something nicer if you want:

cp integrit ~/integrit

Step 3: Set up integrit:

Look in the integrit-4.1/examples directory and make a config file from the example.

You need three things at least:

The known file database – this is where the integrit database is stored.

The current file database – this is where integrit stores the modified info.

A root directory to monitor – this is the full path to the directory we want to watch.

We can also tell integrit to ignore directories, by listing with an exclamation mark at the start of the line. We want to ignore the ~/integrit directory, and on dreamhost, we’ll need to ignore the webserver log directory (because it changes a lot, and parts of it our user can’t access which will cause errors).

Paste the above into a file called “run_integrit.sh” (a good place to put it would be in your ~/integrit directory), edit the paths to match your setup, and change the email address. Finally, make this file executable:

chmod +x ~/integrit/run_integrit.sh

Now all we have to do is to add that to our crontab.

crontab -e

– and add a line that looks something like this:

59 21 * * * /home/simon/integrit/run_integrit.sh

This will run integrit at 21.59 every day, if you don’t know what that means, then have a google for “crontab tutorial”.

Save the file, and you’re off.

Updating the database after valid changes:

When you’ve changed or added a file yourself, then you’ll need to update your known database with these changes. To do this, just generate a current database, and copy it over the old one. The script I’ve got above will automatically generate a current one, so you can just use that version, or repeat Step 4.

Final considerations:

Note: If you can, you should run integrit (that is BOTH the database files and the binary files) off a “safe” partition, that’s not writable. Unfortunately, most of us on shared hosting don’t have that privilege, so just be aware that if a really clever attacker does get you, then they’re likely to disable or modify the IDS if they can.

A good way of dealing with this is to copy your known file database off the webserver and make sure that the one on the server matches this one every so often.